{"id":"CVE-2019-11413","details":"An issue was discovered in Artifex MuJS 1.0.5. It has unlimited recursion because the match function in regexp.c lacks a depth check.","modified":"2025-11-14T09:04:54.849335Z","published":"2019-04-22T11:29:05.157Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RQXMWEOWCGLOLFBQSXBM3MBN33T4I5H/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/67PMOZV4DLVL2KGU2SV724QL7Y4PKWKU/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MFCRO74ORRIVWNVAX2MAMRY3THCTWLQI/"},{"type":"FIX","url":"http://www.ghostscript.com/cgi-bin/findgit.cgi?00d4606c3baf813b7b1c176823b2729bf51002a2"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/108093"},{"type":"REPORT","url":"https://bugs.ghostscript.com/show_bug.cgi?id=700937"},{"type":"FIX","url":"https://github.com/ccxvii/mujs/commit/00d4606c3baf813b7b1c176823b2729bf51002a2"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202007-52"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ccxvii/mujs","events":[{"introduced":"0"},{"fixed":"00d4606c3baf813b7b1c176823b2729bf51002a2"}]}],"versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11413.json","vanir_signatures":[{"digest":{"line_hashes":["328405976540269171574426997297914194677","28820264005199459397688462374208773754","115592109199251561225957470229191264850","226750050490738593972937077082569382900","69155125341258013954123328355104011081","77096820713038027465313513387023805270","315005900086248995536395981719175767434","216149666753739312383582790045619682561","168456515109874193206925611290153028006","253550608957002984048742218748522361484","287762408062012833408635798592118772120","137730383887993172875415351556081478928","69155125341258013954123328355104011081","276776672032691860051980120189635321903","266411301615837407869656257093229481969","314145028522377723622057038896964445484"],"threshold":0.9},"target":{"file":"jsregexp.c"},"signature_version":"v1","source":"https://github.com/ccxvii/mujs/commit/00d4606c3baf813b7b1c176823b2729bf51002a2","deprecated":false,"signature_type":"Line","id":"CVE-2019-11413-114fecad"},{"digest":{"line_hashes":["330965224016776617240452473972315112551","58964011766658985470013927467697484949","176767735585995718426812377021175604165","123536798619340063084627279451439359063","231046069591279148126070084298970803402","5287918556042149318192442446806847504","287193021135044603271244314570652558334","202744504905120609071170884280242896199","194351706831580525447197604745961517861","334829691300371767366618103142826745106","169857290851853590971919266879610618973","286896113520376559902133287845527907424","197681301474642604700859790348536351287","232423398726502071057638062602092753142","189006633549113417139150172317856480201","167328274318717965556161185633391730047","176063706678471336977323934073893304016","334579183653757837120576605177283106136","58763863424638248742034087645858702466","129874232254581069034471705808900361232","247427644812182656508502385897147933924","337443522489899303815393167934168774698","338755146517799274182645668824973276016","169692392282005607412582307424659929192","227293568371808730775993394494343448625","12126810818913648188528891624158112881","287193021135044603271244314570652558334"],"threshold":0.9},"target":{"file":"jsstring.c"},"signature_version":"v1","source":"https://github.com/ccxvii/mujs/commit/00d4606c3baf813b7b1c176823b2729bf51002a2","deprecated":false,"signature_type":"Line","id":"CVE-2019-11413-20251384"},{"digest":{"function_hash":"267053980900087563202678398536745118654","length":475},"target":{"function":"Sp_search","file":"jsstring.c"},"signature_version":"v1","source":"https://github.com/ccxvii/mujs/commit/00d4606c3baf813b7b1c176823b2729bf51002a2","deprecated":false,"signature_type":"Function","id":"CVE-2019-11413-4185540e"},{"digest":{"function_hash":"149930013163735048775688674593473367504","length":637},"target":{"function":"Rp_test","file":"jsregexp.c"},"signature_version":"v1","source":"https://github.com/ccxvii/mujs/commit/00d4606c3baf813b7b1c176823b2729bf51002a2","deprecated":false,"signature_type":"Function","id":"CVE-2019-11413-513fac1d"},{"digest":{"function_hash":"225278297047289474161465028593504660958","length":912},"target":{"function":"Sp_match","file":"jsstring.c"},"signature_version":"v1","source":"https://github.com/ccxvii/mujs/commit/00d4606c3baf813b7b1c176823b2729bf51002a2","deprecated":false,"signature_type":"Function","id":"CVE-2019-11413-799fb950"},{"digest":{"function_hash":"291588033121990331669194027304663402612","length":947},"target":{"function":"js_RegExp_prototype_exec","file":"jsregexp.c"},"signature_version":"v1","source":"https://github.com/ccxvii/mujs/commit/00d4606c3baf813b7b1c176823b2729bf51002a2","deprecated":false,"signature_type":"Function","id":"CVE-2019-11413-8f7268ff"},{"digest":{"function_hash":"91036703367916865135613502024098656296","length":373},"target":{"function":"regexec","file":"regexp.c"},"signature_version":"v1","source":"https://github.com/ccxvii/mujs/commit/00d4606c3baf813b7b1c176823b2729bf51002a2","deprecated":false,"signature_type":"Function","id":"CVE-2019-11413-adb49342"},{"digest":{"function_hash":"34928958227256639096047503002150688073","length":2433},"target":{"function":"Sp_replace_regexp","file":"jsstring.c"},"signature_version":"v1","source":"https://github.com/ccxvii/mujs/commit/00d4606c3baf813b7b1c176823b2729bf51002a2","deprecated":false,"signature_type":"Function","id":"CVE-2019-11413-c4f0b314"},{"digest":{"function_hash":"148362416329383555131224799604554120129","length":2870},"target":{"function":"match","file":"regexp.c"},"signature_version":"v1","source":"https://github.com/ccxvii/mujs/commit/00d4606c3baf813b7b1c176823b2729bf51002a2","deprecated":false,"signature_type":"Function","id":"CVE-2019-11413-cb719c86"},{"digest":{"line_hashes":["225263007365615047898124717984119051470","182627581303940126331269315450078115057","287377703607885720243941633031137605297","91360768759118425562393780302982104395","277648193835602456057867605365205019848","223840250403981742469014160818208676008","134593007767185356140262847844181999685","191989437533716832358102371979548116371","216093532092901522363861832414252330076","272064566688293626688767693893681253762","70395787211362429765808746241834027059","190776711114753665108012697145075423629","126409070836290508438180668627733954767","336639243531109807980368652471249278343","119420185672216028514963914649153293239","230419778254456482294125656867733565508","18497573312895518701769482494338893005","154585784789569428767648640168556182671","201075947575967831659393507663307067724","131940557551555546525475533326248324739","93506323436592743798896117840318733220","210591432998882314907880314976386640309","230966921352015408993278978679910039058","2360560577135982762752444717464726202","313826893513626893114985429960264917495","173406009092327143196963296196196327319","304185176498971339288465689558694933751","45838668443297120911388956801300775823","252893044579548969413722696678317837242","127789680793755140188988905509171856096","31126428540229089634295739215002652216","201532445915361911577167833918647973720","30163370915299328700415175376347428204","52509136589997591162771560975448405466","237568274032854139058681087698541330018","229217648290836315780987743966692372797","41152849236970927661612313346479296579","242833264553864300797838934034301448379","161524276639064651364268618787383083679","172494494246805085824134046124392516078","286491927290047712579136201681083602577","144710828917656421506428020081180062563","134608598623662994389699740553460429635","271844288251657391404005558160355789508","143691771808886215709841114813364889909","282751239886950949604205640177176992371","19713176475969993883589955933946781797","192336618662861795886112405233090536944","260287677038579498704548389379726980759","77183365741060131226696214042325295391","248689062423654024993939661355435899529","262932785788637118354858837125268180362","150882725231579643345117822047166077973","45088159157602093197126203206680066548","122729799123437727666359942570710165081","308680675398570616870284644535491844172","49069206952578803296692344412970397322","166944008357224349099905759197912538772","334473789652024146498957944580858267009","245203270802200340165758591052300233297","337501847162721299425063264329008808394","185861803440088485447304284811706134511","87848380271441691558338670955635556757","250340352733639785193395667893704113195","272934861496033961789049942527606974749","63426468969817908893551939461682974567","4617907122744023925044387818765324002","82328687963155531977422800009748230322","225828852006357472418770436437342507278","54906730302952238193614763829176276855","323968866993344841232528585024853625775","48757925095333006089511545405056711188","262058957650701651704254967834145134049","279372775297892802860547335020436436778","243690997604138377975010900296305307158","87848380271441691558338670955635556757","102785831610760776915222174173217672074","286472566869577214013667643148448373129","143660405849237863464678912222137291773","338065838012653297087620634270043727511","186738147107032044504265480212657851217","205066821341316272470018506913547561265","145308058536890971227402621999999480392","323968866993344841232528585024853625775","100304031802382319172524914415680205972","79290208266533807946954988008284849563","102725047612123779628435899400477909989","307117376807924486809514587629929146538","235581232317006770953634587489549333273","73165529593106242244107913746197821982","54635184950800310761552668973652665748","220874209762409506206246963739310088927","213728712173786024690241422022680908853","25222963565205918749457348982134123057","49772265516008674739997885205025905032","220874209762409506206246963739310088927","257156530386874641321270824601702092597","93595371896438691114736507340051122750","260084532033891706707326074957729897150","14971754884795869565073787685542052406","1078181364274472812753612067421959652","301713892399161099151525063888096843426","205860271325590875733157511061183211570","117946242536166559400892755064101642490","172437013890230458041119047437280337713","227476146869532948797210707269009527788","225641819979679513292854636018334642706","314701418728820466377325614308991909655","40000270140298023458799888171711780995","223774624998376942748813277274825267487","199024449340903120365047381353321660571","92149463732638044550589731138281865014","135045007302257789395044528308605937321","208980442944854511390791043474728035772","6787890327123429999107524848591567269","51550610346862259938451277780043809422","289031124834923009876317229978282939875","97147650477433733740198756231488737752","250202481077197482080830726993754552125"],"threshold":0.9},"target":{"file":"regexp.c"},"signature_version":"v1","source":"https://github.com/ccxvii/mujs/commit/00d4606c3baf813b7b1c176823b2729bf51002a2","deprecated":false,"signature_type":"Line","id":"CVE-2019-11413-ee684a5c"},{"digest":{"function_hash":"293228003348465381164972282368932003000","length":1163},"target":{"function":"Sp_split_regexp","file":"jsstring.c"},"signature_version":"v1","source":"https://github.com/ccxvii/mujs/commit/00d4606c3baf813b7b1c176823b2729bf51002a2","deprecated":false,"signature_type":"Function","id":"CVE-2019-11413-fc9105e0"}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}